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Response to Arguments 

Applicant's arguments filed on June/28/2004 have been fully considered but they are not 
persuasive. 

Applicant on page 2, line 17, argues that there is nothing in Shi that either teaches or 
suggests that Shi's cookie is unmodifiable." Shi does not anticipate the presently claimed 
invention because he does not teach the elements of transmitting an unmodifiable 
cookie" or storing the unmodifiable cookie." In fact as mentioned above, Shi replaces a 
first cookie with a second cookie, an action that is most certainly a modification. In order 
to describe the unmodifiable nature of Applicant's cookie, Applicant's specification 
includes several examples of techniques that can be employed to guarantee this aspect 
of the claims. For example, one technique involves using an encryption code know only 
to the web browser 32. Another disclosed technique employs public and private cookie 
files [36]. In short, unlike the current application, Shi neither teaches nor suggests an 
unmodifiable cookie containing state information. Shi et al. On col 7, lines 26-34 
discloses that the distributed computing environment includes a security service for 
returning a credential to a user authenticated to access the distributed file system. In 
response to receipt by the Web server of a user id and password from the Web client, a 
login protocol is executed with the security service. If the user can be authenticated, a 
credential is stored in an in-memory credential database of credentials associated with 
authenticated users. The Web server then returns to the Web client a persistent client 
state object having a unique identifier therein. This object, sometimes referred to as a 
cookie, is then used to enable the Web client to browse Web documents in the distributed 
file system. In particular, when the Web client desires to make a subsequent request to 
the distributed file system, the persistent client state object including the identifier is used 
in lieu of the user's id and password, which makes the session much more secure. In 
this operation, the cookie identifier is used as a pointer into the in-memory credential 
database, and the credential is then retrieved and used to facilitate multiple file accesses 
from the distributed file system. 
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Regarding claims 3 and 9, applicant on page 2, line 28, argues that Shi does not teach or 
suggest storing a single cookie in two different files, a public file and a private file. Rather, 
Shi is directed to the storage of a multiple files, some of which are protected by Web 
server security and some protected by DFS security. For example, Shi refers to the both 
the documents stored on the server local directory (protected by Web server security) and 
DFS (protected by DFS security. In other words, Shi is describing multiple documents 
rather than a single document. Further, Shi describes the problem of a user being 
prompted for a user id and a password every time there is a switch from DFS document to 
web server document, and vice versa. Clearly, Shi is talking about at least two different 
documents. Shi on col 8, lines 58-61, teach that at step 78, the DFS credential generated 
by the login (to the DCE Security Server) is stored in a database (preferably an in-memory 
storage) associated with the session manager and indexed by the unique id. Col 9, lines 
8-15 subsequent requests from the browser carry the cookie with the unique id and thus 
steps 84, 86 and 88 are repeated for all subsequent requests. Thus, according to the 
invention, it is only required to pass user id and password a single time, namely, when the 
user initially logs into DFS. Thereafter, a cookie with a unique id is passed on subsequent 
requests. 

Applicant on page 3, line 7, argues that with respect to claims 4 and 1 0, the Office Action 
mischaracterizes performing a path check as checking the public cookie file for a matching 
unmodifiable cookie. As mentioned above, Shi does not maintain two copies of a single 
file. Further, performing a path check typically involves an attempt to access a particular 
file rather than any attempt to match files. Shi on col 7, lines 26-34, when searching the 
cookie list for a valid cookie, a comparison of the domain attributes of the cookie is made 
with the Internet domain name of the host from which the URL will be fetched. If there is a 
tail match, then the cookie will go through path matching to see if it should be sent. "Tail 
matching" means that domain attribute is matched against the tail of the fully qualified 
domain name of the host. 

Applicant on page 3, Iine14, argues that with respect to claims 6 and 12, Wagner is 
directed at refreshing a public cookie by sending HTML files from a server to update an 
area within a previously transmitted page or, in other words, updating the cookie because 
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an area within the previously transmitted page has been modified. This cannot be 
characterized as updating the public cookie tile to reflect the unmodifiable cookies found in 
the private cookie file. Obviously, Wagner is only updating the public cookie, when that 
which he is copying has been modified. Wagner on col 3, lines 42-52) disclose that to 
address the need to detect interpretive language programs and cookie commands data 
segments of data streams, some known browsers have been modified to include a 
function which a user may activate to prevent the execution of interpretive language 
programs and cookie commands. Typically, the browser is modified so the portion of the 
browser program that passes an interpretive language program or cookie command to an 
interpreter for execution, checks a switch which may be set by a user, to determine 
whether passing programs and commands to the interpreter is enabled. 
Therefore it would have been obvious for one of ordinary skill in the art at the time of 
invention was made to combine the references because While these nnodified browsers 
disable the execution of interpretive programs and cookie commands, they do not notify a 
user that an interpretive program or cookie command was detected. Thus, users are 
unaware of those server sites that attempt to send interpretive programs and cookie 
commands to the user's browser and, as a result, the user may deactivate the interpretive 
program and cookie command disabling function of the browser. Thereafter, the user may 
request an HTML file from a server previously visited and receive an interpretive program or 
cookie command that now executes on the user's computer. If the user had known the 
server site was sending interpretive programs or cookie commands, the user may have 
chosen not to request files from the server. What is needed is a program which detects 
programs or cookie commands embedded within a data stream received from another 
computer and which notifies the user of the interpretative language program or cookie 
command so the user may be aware that the server is sending interpretive programs or 
cookie commands. What is needed is a program, which notifies the user of detected 
interpretive programs and cookie commands without modifying the browser program. 
What is needed is a way to restrict access to resources or data on a computer when the 
computer is in communication with another computer, (col 3, lines 52-67) and (col 3, lines 
1-10). 
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Regarding dependent claims, because the arguments witli respect to the allowableness of 
independent claims were found unpersuasive, theses same arguments are not persuasive 
with respect to the other independent claims. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1 ) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent granted 
on an application for patent by another filed in the United States before the invention by the applicant for 
patent, except that an international application filed under the treaty defined in section 351 (a) shall have 
the effects for purposes of this subsection of an application filed in the United States only if the 
international application designated the United States and was published under Article 21(2) of such 
treaty in the English language. 

Claims 1-5, 7-11, and 13-15 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Shi et al. (US Patent No. 5,875,296) 

1 . As per claim 1, 7, 8, 13 and 14, a method of maintaining state information on a 
client, the method comprising: transmitting an unmodifiable cookie, which specifies state 
information from a server to the client; and storing the unmodifiable cookie on the client, 
(corresponds to when the Web server sends the Web client a login HTML form and a first 
cookie including a URL identified by the HTTP request. Col 3, lines 22-46) 

2. As per claims 2 and 15, the method wherein the unmodifiable cookie is transmitted 
from the client to the server when the client makes predefined requests to the server and 
wherein the unmodifiable cookie is transmitted with the file, (the Web client transmits the 
completed form along with the first cookie (including the URL entry) back to the Web 
server. Col 3, lines 22-46) 

3. As per claims 3 and 9, the method wherein a copy of the unmodifiable cookie is 
stored in a public cookie file and the unmodifiable cookie is stored in a private cookie file 
in a location separate from the public cookie file on the client. (If a mechanism is provided 
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for having the Web server access the distributed file system, the Web server will maintain 
both the documents stored on the server local directory (protected by Web server 
security) and DFS (protected by DFS security), col 2, lines 1-18) 

4. As per claims 4 and 1 0, the method further comprising in response to a request 
from the client for a document requiring an unmodifiable cookie, checking the public 
cookie file for a matching unmodifiable cookie. (At step 34, called path checks, the server 
performs various tests on the resulting path to ensure that the given client may retrieve 
the document. Col 2, lines 62-67) 

5. As per claims 5 and 1 1 , the method where no matching unmodifiable cookie is 
present in the public cookie file, checking the private cookie file for a matching 
unmodifiable cookie, (corresponds to when searching the cookie list for a valid cookie, a 
comparison of the domain attributes of the cookie is made with the Internet domain name 
of the host from which the URL will be fetched. If there is a tail match, then the cookie 
will go through path matching to see if it should be sent. Col 7, lines 26-36) 

Claim Rejections - 35 USC§ 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth 
in section 1 02 of this title, if the differences between the subject matter sought to be patented and the 
prior art are such that the subject matter as a whole would have been obvious at the time the invention 
was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability 
shall not be negatived by the manner in which the invention was made. 

Claims 6 and 12 are rejected under 35 U.S.C. 103(a) as being unpatentable over Shi et al. 
(US Patent No. 5,875,296) and further in view of Wagner (US Patent No. 6,085,224) 

6. As per claims 6 and 12, the method further comprising updating the public cookie file 
to reflect the unmodifiable cookies found in the private cookie file. Shi et al. do not explicitly 
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teach updating the public cookie, however Wagner disclose that file Refresh files are 
typically HTML files sent by a server to update an area within a previously transmitted page. 
Therefore, it would have been obvious to one of ordinary skill in the art at the time of the 
invention was made to incorporate Shi's distributed file system with cookies with method 
and system for responding to hidden data and programs in a DataStream thought by 
Wagner because While these modified browsers disable the execution of interpretive 
programs and cookie commands, they do not notify a user that an interpretive program or 
cookie command was detected. Thus, users are unaware of those server sites that attempt 
to send interpretive programs and cookie commands to the user's browser and, as a result, 
the user may deactivate the interpretive program and cookie command disabling function of 
the browser. Thereafter, the user may request an HTML file from a server previously 
visited and receive an interpretive program or cookie command that now executes on the 
user's computer. If the user had known the server site was sending interpretive programs 
or cookie commands, the user may have chosen not to request files from the server. What 
is needed is a program which detects programs or cookie commands embedded within a 
data stream received from another computer and which notifies the user of the 
interpretative language program or cookie command so the user may be aware that the 
server is sending interpretive programs or cookie commands. What is needed is a 
program, which notifies the user of detected interpretive programs and cookie commands 
without modifying the browser program. What is needed is a way to restrict access to 
resources or data on a computer when the computer is in communication with another 
computer. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
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MONTHS of the mailing date of this final action and the advisory action is not mailed until 
after the end of the THREE-MONTH shortened statutory period, then the shortened 
statutory period will expire on the date the advisory action is mailed, and any extension 
fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory 
action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier connnnunications from the 
examiner should be directed to Mitra Kianersi whose telephone number is (703) 305-4650. 
The examiner can normally be reached on 7:00AM-4:00PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, David Wiley can be reached on (703) 308-5221 . The fax phone number for 
the organization where this application or proceeding is assigned is 703-872-9306. 



Mitra Kianersi 
09/14/2004 




